AD Permissions Reporter Progress Update

As I’ve had quite a bit of interest in the Active Directory permissions reporting tool that has been listed on the “Future Projects” section of my website for some time, I thought I would just post some details on how it is going and when you can expect to see it being released.

For anyone that isn’t aware of what exactly this program is, it is a tool for reporting security permissions on Active Directory objects (OUs, groups, users, containers, GPO objects, etc). By default it will just generate a report of all permissions on all objects, but using the granular filtering built in to the program you could use it to audit specific delegated rights that have been granted in your AD domain. For example it could generate a report of who has been granted permission to change passwords on all user accounts in a particular OU (or the entire domain) or who is allowed to delete certain types of objects or write to a certain AD property, etc etc. It could also be used the other way around – to find all AD objects where a particular user or group has been used in security permissions (optionally taking group membership into account when doing this).

There are of course other ways of getting this kind of information already, but command line tools or scripts don’t give very readable or accurate results in most cases and existing third party GUI tools are either overly complex or ridiculously expensive (or both). So as with all of my other tools, I’m aiming to make this as simple to use as possible whilst still having enough power to support more advanced reporting requirements. It won’t be quite as simple as my NTFS permissions reporting tool though purely because AD permissions are more complicated in general than file system permissions and there’s no way to hide absolutely all of that additional complexity.

So how is the tool coming along and when can you expect to see it?

Well I’ve spent an awful lot of time on it recently so it is progressing quite quickly now and I’m hoping to have a public BETA version available in a couple of weeks (I’ll hopefully have an early private BETA ready towards the end of next week so if you’re interested in that then let me know). I’ve added some screenshots below, but bear in mind this is subject to change before the final program is released. One thing I’m considering changing is having the child “leaf” objects (i.e. anything that is not an OU or container) in a separate tree node named Child Objects or something like that, so that you don’t have to scroll past a load of user accounts if you just want to get to something in the next sub OU down. Unfortunately this isn’t as easy as you would think though, because even user accounts are technically containers in AD (they can hold child objects) so it is hard to make the program know which items it should class as containers and which it should class as child objects.

Screenshot 1: Viewing the objects in the results (the red circle icon next to an object indicates that it does not inherit permissions from its parent)

Screenshot 2: Viewing a permissions entry on an object

There will also be a table view for anyone that would rather use that instead of a tree view like this, so hopefully everyone is happy

I’m keen to hear what you think of the GUI so far, and by all means let me know if you have any suggestions on how you think it could be improved. I’ll have some more screenshots and details of the filtering system soon, along with some general progress updates on the Cjwdev Facebook page next week.

4 responses to AD Permissions Reporter Progress Update

Thanks Joe 🙂 and yeah the GUI is kind of a combination of AD Tidy and NTFS PR, but with some improvements 😉 I have actually just finished making a change to the tree view that I mentioned I was considering doing in this blog post above – so now it hides common types of child objects (users, groups etc) in a separate “child objects” node. This makes it much easier to navigate around OUs that have lots of users in, but I’ll add an option to turn this off in case some people would rather just have every type of object listed directly